Re: HTTP Alternative Services: What about TLS client certificates? from Martin Thomson on 2015-03-30 (ietf-http-wg@w3.org from January to March 2015)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 30 Mar 2015 12:48:19 -0500
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Jann Horn <jann@thejh.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnUiEkzWwS8L_ONTyxvPjrcWHPQWeDPawvMW6E45qSfW1A@mail.gmail.com>

On 30 March 2015 at 12:26, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote:
> On Mon, Mar 30, 2015 at 10:10:20AM -0700, Roy T. Fielding wrote:
>> Why is the origin on the client still http://bank.com/ when it is
>> deliberately making requests to https://bank.com:443/ ?
>
> Because ALT-SVC does not change origin, only transport.

That was my answer to the concern: don't tie your authentication to
the transport, tie it to the origin.  That is, if you are requesting
resources for a given origin, then make sure that you have everything
you need for that origin, including server authentication,
confidentiality and integrity if it is https://.  Finally, don't send
cookies, authentication or other stuff to origins that don't deserve
them, regardless of what is actually being used to send packets.

Received on Monday, 30 March 2015 17:48:48 UTC